Email authentication and protection against spoofing
What Is DMARC?
A detailed explanation of the DMARC protocol — how it works with SPF and DKIM, what the policies are (none, quarantine, reject), and why DMARC is essential for protecting your email domain.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email security protocol that protects a domain from spoofing and phishing. It works together with SPF (allowed servers) and DKIM (digital signature). The policy defines what to do with unauthenticated emails: none (report only), quarantine (spam folder) or reject (discard). Essential for banks, e-commerce, SaaS and any company that protects its brand.
- DMARC = domain protection against spoofing
- Works with SPF + DKIM
- Policies: none, quarantine, reject
- Gmail/Yahoo require DMARC since 2024
- BeoHosting: configurable in the cPanel DNS editor
BeoHosting Team
10+ years of experience — Web hosting and infrastructure specialists
- DMARC
- SPF
- DKIM
- Email security
- Phishing protection
- DNS
- Email hosting
- Spam protection
Last updated:
What is DMARC and why does it matter?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email security protocol that protects your domain from unauthorized use — known as email spoofing. Spoofing is when someone sends fake emails that look like they come from your domain.
DMARC works in combination with two other protocols: SPF (Sender Policy Framework), which defines which servers are allowed to send email from your domain, and DKIM (DomainKeys Identified Mail), which adds a digital signature to every email.
When an email server receives a message, it checks your domain's DMARC record and, based on it, decides what to do with emails that fail SPF/DKIM authentication. With BeoHosting email hosting, SPF and DKIM are automatically configured for your domain.
How DMARC works — step by step
DMARC uses SPF and DKIM to verify the authenticity of emails.
The email is sent
Your email server sends the message to the recipient. The email contains a DKIM signature and information about the sending server (for the SPF check).
The recipient checks SPF
The recipient's email server checks your domain's SPF record to determine whether the server that sent the email is authorized to send on your behalf.
The recipient checks DKIM
The recipient's server verifies the DKIM digital signature to confirm that the email content was not altered in transit.
DMARC evaluation
The server checks the DMARC record and determines whether the email passes alignment — whether the SPF and/or DKIM domain matches the From domain in the email header.
Policy enforcement
Based on the DMARC policy (none/quarantine/reject), the server decides whether to deliver the email, send it to spam, or reject it entirely.
DMARC policies: none, quarantine, reject
DMARC defines three levels of protection that you can apply to your domain.
p=noneMonitoring
Monitor only — emails are delivered normally, but you receive reports about which emails pass and which fail authentication. Ideal for the initial setup.
p=quarantineQuarantine
Emails that fail the DMARC check are placed in the recipient's spam/junk folder. Legitimate email still arrives, but fake emails end up in spam.
p=rejectReject
Emails that fail the DMARC check are rejected entirely — they never reach the recipient. The strongest protection against email spoofing and phishing.
Recommended approach
Start with p=none for 2-4 weeks to monitor the reports. Then move to p=quarantine for 2 weeks. Finally, once you are sure all legitimate services are configured correctly, move to p=reject for full protection.
Why is DMARC important for your domain?
DMARC protects your brand, improves deliverability and provides visibility.
Protection against spoofing
DMARC prevents unauthorized sending of emails from your domain. Without DMARC, attackers can send phishing emails that look like they come from you, damaging your brand and your customers' trust.
Better email deliverability
Email providers (Gmail, Outlook, Yahoo) give priority to domains with DMARC. Your legitimate emails have a greater chance of reaching the inbox instead of spam, which improves communication with customers.
Visibility and reports
DMARC sends daily reports about all emails sent from your domain — who sends them, whether they pass SPF/DKIM and where they come from. This is key to identifying unauthorized use of your domain.
Compliance with requirements
Since February 2024, Google and Yahoo require DMARC for sending more than 5,000 emails per day. Without DMARC, your bulk emails can be blocked or end up in spam.
Example DMARC DNS record
The DMARC record is added as a TXT DNS record on the _dmarc subdomain of your domain. Here is an example of a complete DMARC record:
DNS TXT record: _dmarc.yourdomain.com
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@vasdomen.rs; ruf=mailto:dmarc-forensic@vasdomen.rs; adkim=r; aspf=r; pct=100v=DMARC1The version of the DMARC protocol (always DMARC1).
p=quarantineThe policy — what to do with emails that fail the check (none/quarantine/reject).
rua=mailto:...The address for aggregate reports (daily summary reports about all emails).
ruf=mailto:...The address for forensic reports (detailed reports about individual failed emails).
adkim=rDKIM alignment mode — r (relaxed) or s (strict). Relaxed allows subdomains.
aspf=rSPF alignment mode — r (relaxed) or s (strict). Relaxed is recommended to start.
Ready to launch your website?
Join 4,000+ satisfied customers. Free migration and 15-day money-back guarantee.
Frequently asked questions about DMARC
Answers to the most common questions about our services.
Our guarantees for your peace of mind
Protected from every angle
15-day guarantee
We refund without questions in the first 15 days.
Free migration
We migrate your site with no downtime — you do nothing.
24/7 support
Our experts are here 24/7 via tickets and live chat.